Sunday, April 30, 2017

I am not a fan of hijackers and phishing criminals. But social engineering has become the most common to crack, target and steal any online account. Those hijackers either lack the sufficient skills to penetrate a system or the system is too tedious to penetrate or hack; thus they resort to sending phishing attacks. When you send a phishing attack, you can creative as much as you want and the limit would be just the sky. In this case, they started by creating extremely identical pages which is an easy step:

Real Apple Login Page:

Fake Apple Login Page:

Real Apple Phishing Link:

Fake Apple Phishing Link:

Ironically, the phishing website was linking non-https images but it was detectable by chrome and not only that, they could not fake the EV Certificate which says "Apple Inc.". Looking at both source codes and comparing them confirmed the phishing attack.

After adding dummy data, a two-step authentication page was opened where the attackers have assumed I have set it up. They did not have my mobile number or my devices so they asked me to add a mobile number (which doesn't happen on a real apple login page). If I had inserted correct login information, their system would have sent me the verification code and I would have given it to them and bingo they would have accessed my Apple ID.

This is one of the best phishing attacks I have ever received, I was really impressed by it. Even the spoof email (support@apple.com) had bypassed Outlook's spam filters and went into my inbox. But the formatting of the email really looked suspicious. They succeeded in gaining my attention by saying that a purchase has been made from my account.